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Abstract. We prove a general finite convergence theorem for "upward-guarded" 
fixpoint expressions over a well-quasi-ordered set. This has immediate applica- 
tions in regular model checking of well-structured systems, where a main issue is 
the eventual convergence of fixpoint computations. In particular, we are able to 
directly obtain several new decidability results on lossy channel systems. 



1 Introduction 

Regular model checking I23I14I33I is a popular paradigm for the symbolic verification 
of models with infinite state space. It has been applied to varied families of systems 
ranging from distributed algorithms and channel systems to hybrid systems and pro- 
grams handling dynamic data structures. 

In regular model checking, one works with regular sets of states and handles them 
via finite descriptions, e.g., finite-state automata or regular expressions. Models amenable 
to regular model checking are such that, when S C Coyif is regular, then Post{S) (or 
Pre{S)), the set of 1-step successors (resp., predecessors), is again a regular set that can 
be computed effectively from S. Since regular sets are closed under Boolean operations, 
one can' try to compute the reachability set Post* [Init), as the limit of the sequence 

So:=Init; Si := SqU PostiSo); ... 5„+i 5„ UPoif(5„); ... (*) 

Since equality of regular sets is decidable, the computation of can contain a test that 
detects if the limit is reached in finite time, i.e., if S„+i = S„ for some n eN, 

With infinite-state models, the main difficulty is convergence. It is very rare that a 
fixpoint computation like converges in finite time, and innovative techniques that 
try to compute directly, or guess and check, or approximate the limit set Post* (Init), are 
currently under active scrutiny II12I1 1I13I21I10I . 

Well-structured transition systems (WSTS) are a generic family of models for which 
the co-reachability set Pre* (Final) can be computed symbolically with a backward- 
chaining version of Q PU91. For WSTS's, convergence of the fixpoint computation 
is ensured by WQO theory: one handles upward-closed sets, and increasing sequences 
of upward-closed sets always converge in finite time when the underlying ordering is a 
well-quasi-ordering (a WQO), as is the case with WSTS's. 

' Actually, such symbolic computations are possible with any class of representation closed 
under, and providing algorithms for, Pre or Post, Boolean operations, vacuity I23I22I . 
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Computing Pre* {Final) for reachability analysis is just a special case of fixpoint 
computation. When dealing with richer temporal properties, one is interested in more 
complex fixpoints. E.g., the set of states satisfying the CTL formula 3[Cond\JGoal] 
is definable via a least-fixpoint expression: /jX.GoalU {Cond D Pre{X)). For game- 
theoretic properties, similar fixpoints are involved. E.g., the states from which the first 
player in a turn-based game can enforce reaching a goal is given by /jX .GoalUPre{Pre{X)). 

Our contribution. In this paper, we define a notion of /j-expressions where recursion 
is guarded by upward-closure operators, and give a general finite convergence theorem 
for all such expressions. The consequence is that these fixpoint expressions can be eval- 
uated symbolically by an iterative procedure. The guarded fragment we isolate is very 
relevant for the verification of well-structured transition systems as we demonstrate by 
providing several new decidability results on channel systems. 

Related work. Henzinger etal. give general conditions for the convergence of fixpoints 
computations for temporal 1221 or game-theoretic 1171 properties, but the underlying 
framework (finite quotients) is different and has different applications (timed and hybrid 
systems). Our applications to well-structured transition systems generalize results from 
f2i31i32i25l that rely on more ad-hoc finite convergence lemmas. 

2 A guarded mu-calculus 

We assume basic understanding of /j-calculi techniques (otherwise see Q) and of well- 
quasi-ordering (WQO) theory (otherwise see |28 24|, or simply 1191 sect. 2.1]). 

Let (W, C) be a well-quasi-ordered set. A subset V of W is upward-closed if w € V 
whenever v C w for some v E V. From WQO theory, we mostly need the following 
result: 

Fact 2.1 (Finite convergence) I/Vq C C V2 C • • • is an infinite increasing sequence 
of upward-closed subsets ofW, then for some index A: G N, Uign^i = ^k- 

The upward-closure of y C W, denoted C|(y), is the smallest upward-closed set 
that contains V . The upward-kernel of V, denoted Ki^iV), is the largest upward-closed 
set included in V . There are symmetric notions of downward-closed subset of W, of 
downward-closure, C|(V), and of downward-kernel, K\^{y), of V. The complement of 
an upward-closed subset is downward-closed. Observe that C|(y) = V = K'^iV) iff V 
is upward-closed, and that C| and (resp., C[ and K^) are dual: 

w -\Ki^{v) = Ci{w -^v), H'\/:j,(y) = C|(W\y). (i) 

Monotonic region algebra. In symbolic model-checking, a region algebra is a family 
of sets of states (subsets of W) that is closed under Boolean and other operators like 
images or inverse images 1221 . 

Here we consider regions generated by a family O ~ {01,02, . . .} of (monotonic) 
operators. By a A:-ary operator, we mean a monotonic mapping o : (2*^)^ 2^ that as- 
sociates a subset oiVx,. . . ,Vk) C W with any k subsets V\,...,Vk- Monotonicity means 
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that o{Vi,. ..,Vk)'^ o{V{, . . . when V,- C y/ for / = 1, . . .,k. We allow nullary oper- 
ators, i.e., fixed subsets of W. Finally, we require that O contains at least four special 
unary operators: Cj,Ci, Kj, K^, and two special nullary operators: and W. 

The region algebra generated by O, denoted with or simply is the set of all 
the subsets of W, called regions, that can be obtained by applying operators from O on 
already constructed regions, starting with nullary operators. Equivalently, ^ is the least 
subset of 2^ that is closed under O. 

We say the region algebra generated by O is effective if there are algorithms im- 
plementing the operators in O and an effective membership algorithm saying whether 
w G R for some w gW and some region R G %o. Such effectiveness assumptions pre- 
suppose a finitary encoding of regions and elements of W: if there are several possible 
encodings for a same region, we assume an effective equality test. 

Extending the region algebra with flxpoints. Let % ~ {Xi,X2,- } be a countable set 
of variables. or shortly when (W, C) and O are clear from the context, 

is the set of 0-terms with least and greatest fixpoints given by the following abstract 
syntax: 

L^, 9(p,x|/ ::=o((pi,...,(p^) \X \pX.(p \ vX.cp | C|((p) | q((p) | Kj{v?) \ Ki{<s?) 

where X runs over variables from %, and o over operators from O. fjX.(^ and vX.cp are 
fixpoint expressions. Free and bound occurrences of variables are defined as usual. We 
assume that no variable has both bound and free occurrences in some (p, and that no 
two fixpoint subterms bind the same variable: this can always be ensured by renaming 
bound variables. (The abstract syntax for could be shorter but we wanted to stress 
that C|, C|, Kj, and are required to be present in O.) 

The meaning of terms is as expected: an environment is a mapping env : % ^ 2*^ 
that interprets each variable X € % as a subset of W. Given env, a term (p e denotes a 
subset of W, written |cp]e„v and defined by induction on the structure of (p: 

def def 

lX},„y = env{X) Io((pi, . . . ,(S?k)\env = o([(pi]l^„v,, . . . , telcv) 

iq(cp)l.„v = Ct(I(p1.«v) iq(9)l.m. = qdcpl.m.) 

\pX.(i?lenv = lfp(n[(p,X,e«v]) lvX.iS?lenv = gfp(£2[(p,X,em']) 

where n[(p,X, e«v] : 2^ ^ 2^ is a unary operator defined by n[(p,X, e«v] (V ) =^ [(pl(;„v[x:=y] > 
using the standard variant notation "env[X := V]" for the environment that agrees with 
env everywhere except on X where it returns V. As usual, [cplfm. does not depend on 
env{X) if X is not free in cp, so that we may shortly write |(p] when (p is a closed term, 
i.e., a term with no free variables. 

We recall that the semantics of the fixpoint terms is well-defined since, for ev- 
ery (p, X and env, n[cp,X,env] is monotonic (and since (2^,C) is a complete lat- 
tice). Moreover, if env and env' are such that env{X) C env'{X) for all X €%, shortly 
written env C env' , then lfp(n[(p,X,e«v]) C lfp(i2[(p,X,env']) and gfp(n[(p,X,e«v]) C 
gfp(n[(p,X,env']). 
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Definition 2.2 (Upward- and downward-guardedness). 

1. A variable X is upward-guarded in (p if all free occurrences ofX in (p are in the 
scope of either a Cj or a Kj operator, i.e., appear in a subterm of the form C|(\|/) 

2. Dually, X is downward-guarded in (p if all its free occurrences are in the scope of a 
€[ or a Ki operator 

3. A term (p is guarded if all its least-fixpoint subterms have X upward-guarded 
in \\f, and all its greatest-fixpoint subterms vX.^ have X downward-guarded in 

Given some (p, X and env, the approximants of lfp(n[(p,X,e«v]) are given by the se- 
quence (M, ),gN of subsets of W defined inductively withMo = andM,+i = Mcm'[Z:=M,] 
Monotonicity yields 

Mo C Ml C M2 C • • • C lfp(i2[(p,X,em']). (2) 
Similarly we define (A^,),gn by A^o = ^ and A^,+i = M(;m'[X:=A',]' so that 

A^o 2 M 2 A?2 2 • • • 2 gfp(£2[(p,X,e«v]). (3) 

Lemma 2.3 (Finite convergence of approximants). IfX is upward-guarded in (p, then 
there exists an index ^ G N such that 

lflX.(S?lenv =Mk= Mk+l = Mk+2 = ■■■ (4) 

Dually, ifX is downward- guarded in cp, then there exists a A:' G N such that 

|vX.(p|,„v = % = Ny+i = Nk<+2 = ■ • ■ (5) 

Proof. We only prove the first half since the other half is dual. Let . . . ,\|/,„ be the 
maximal subterms of (p that are immediately under the scope of a C| or a operator. 
Then (p can be decomposed under the form 

cp = 4>(frx|/i,...,fr\|/,„) 

where the context ^{Y\ , . . . ,y„,) uses fresh variables Y\,. . . ,¥,„ to be substituted in, and 
where \|/, is either C| or depending on how appears in (p. In either case, 

and for any environment env', the set Iff x|/,]]e„v' is upward-closed. 

For Vi , . . . , V,„ C IV we shortly write I*] (Vi , . . . , V,„) for [4>i„„[j.j y„,:=v,„] ■ Since 

X is upward-guarded in cp, it has no occurrence in <t>, only in the i(/,'s, so that 

Mi+l = Menv[X:=M,] = 1*1 (Iff ¥ll™v[X;=M,] , • ■ ■ ,U ¥mim.[Z:=M,] ) 

= [4>l(L,M,...,i/,,«) 

writing Lij for |-f|- V|/ile«v[A::=M,]- From Mq C Mi C M2 C • • • , we deduce Lqj C Lij C 
C • • • Since /Tj and C| return upward-closed sets, the Li /s are upward-closed sub- 
sets of W. For all j ~ I, . . . ,m. Fact 12. II implies that there is an index kj such that 
Li j = Lifjj for all ; > kj. Picking K ~ max(A;i, . . . ,kj) gives for any / > K 

M,+i = miLi,i,---,Um) = miLk,.U...M.,m) = miLKA,.--,LK,„)^MK+l. 

Thus, IJjgj^M, = Mk+i = Mk+2 and M^r+i is a fixpoint of n[(p,X,e«v], hence the least 
one thanks to (|2}. Picking k = K+l satisfies (0}. □ 
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Regions with guarded fixpoints. We can now prove our main result: subsets defined 
by Lfj terms are regions (and can be computed effectively if the underlying region alge- 
bra is effective). 

By a region-environment we mean an environment env : X ^ ^ that associates re- 
gions with variables. If env is a region-environment, and (p has only free variables, i.e., 
has no fixpoints subterms, then [(pl^nv is a region. 

Tlieorem 2.4. /fcp e is guarded and env is a region-environment then |cp|em' is a 
region. Furthermore, if the region algebra is effective, then \^\env can be computed 
effectively from cp and env. 

Proof. By structural induction on the structure of cp. If cp = o() is a nullary operator, the 
result holds by definition of the region algebra. If cp = o((pi, • • • ,(pi), the |(p,]]em 's are 
(effectively) regions by induction hypothesis, so that \<s^\env is an (effective) region too 
by definition. In particular, this argument applies when o is a nullary operator, or is one 
of the unary operators we singled out: C^,C[,K^, and K^. 

If cp = juX.i|/, we can apply Lemma 1231 after we have proved that each one of the 
approximants Mo,Mi,M2, . . ., of |(p]]e/,v. are regions. In particular, Mq = is a region, 
and if M,- is a region, then M,+i = Mi?m'[X:=M,] is one too, since env' = env[X := M,] is 
a region-environment, and since by induction hypothesis [^I/Jcth' is a region when env' 
is a region-environment. When 'J{o is effective, the M, can be computed effectively, and 
one can detect when = M^+i since region equality is decidable by definition. Then 
Wienv = can be computed effectively. Finally, the case where cp = vX.\\t is dual. □ 

Corollary 2.5 (Decidability for guarded L/j properties). The following problems are 
decidable for effective monotonic region algebras: 

Model-checking: "Does w £ |(p] "for a w e W and a closed and guarded cp G L^. 
Satisfiability: "Is [cp] non-empty ? "for a closed and guarded (p G L^j. 
Universality: "Does [cp] ^W? "for a closed and guarded (p S L/.,. 

A region algebra of regular languages. Consider W ^Y,*, the set of finite words over 
some finite alphabet E. The subword ordering, defined by "m C v iff u can be obtained 
by erasing some letters from v", is a WQO (Higman's Lemma). Regular languages over 
E are a natural choice for regions: observe that the closure operators C| and C| preserve 
regularity and have effective implementations.^ Natural operators to be considered in O 
are U (union) and n (intersection). However, any operation on languages that is mono- 
tonic, preserve regularity, and has an effective implementation on regular languages can 
be added. This includes concatenation (denoted R.R'), star-closure (denote R*), left- and 
right-residuals (R^^R' =^{v | 3m <£R,uv <=z R'}), shuffle product (denoted/? || R'), reverse 

^ — — def 

(denoted R ), conjugacy (R = {vu \ uv e R}), homomorphic and inverse-homomorphic 
images, and many more |30|. Complementation is not allowed in O (it is not monotonic) 

- From a FSA for R, one obtains a PSA for (R) simply by adding loops q—*qon all states q of 
the FSA and for all letters a e £. A FSA for Cj [R) is obtained by adding £-transitions q' 
whenever there is a g 5'. From this, K-^ and can be implemented using Q. 
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but the duals of all above-mentioned operators can be included in O (without compro- 
mising effectiveness) so that, for all practical purposes, complement can be used with 
the restriction that bound variables in terms are under an even number of comple- 
mentations. 

An application of Theorem l2.4l is that, if R\ and R2 are regular languages, then the 
language defined as ^X.vF.(/:|[/?i || (X*nq(}'"'xnX-i/?2))]) is regular andafinite 
representation for it (e.g., a regular expression or a minimal DFA) can be constructed 
from/?i and/?2- 

3 Verification of lossy channel systems 

Theorem l2.4l has several applications for regular model checking of lossy channel sys- 
tems (LCS) and other families of well-structured systems I3I19I . In the rest of this 
paper we concentrate on LCS's. 

3.1 Channel systems, perfect and lossy 

A channel system is a tuple L = (2, C, M, A) consisting of a finite set Q = {p,q, . . .} of 
locations, a finite set C = {c, . . .} of channels, a finite message alphabet M = {m, . . .} 
and a finite set A = {5, . . .} of transition rules. Each transition rule has the form q'-^ p 
where op is an operation: elm (sending message m E M along channel c e C), dm 
(receiving message m from channel c), or y/ (an internal action to some process, no 
I/O-operation). 

Operational semantics. Let L = (2,C,M,A) be a channel system. A configuration 
(also, a state) is a pair o = {q, w) where q G Qisa location and w : C ^ M* is a channel 
valuation that associates with any channel its content (a sequence of messages). The set 
Qx M**" of all configurations is denoted by Conf — {a, p, . . .}. For a subset V of Conf, 

we let V = Conf\V. 

Steps between configurations are as expected. Formally, a = {q,w) leads to a' = 

{q',w') by firing 5 = p^ r, denoted a iperf o', if and only if q = p, q' ~ r and w' is 
obtained from w by the effect of op (the "perf subscripts emphasizes that the step is 
perfect: without losses). Precisely, w'(c) = w(c) for all channels c that are not touched 
upon by op, and 



Thus, when op = dm, w' is only defined if w(c) starts with m and indeed this is the 

g 

intended condition for firing 5. Whenever o ^ p for some p, we say that 8 is enabled 
in a, written 8 £ A(a). 

Below we restrict our attention to LCS's where from each q<GQ there is at least one 
rule ^ p in A where op is not a receiving action: this ensures that the LCS has no 
deadlock states and simplifies many technical details without losing any generality. 




w{c)m if op = c\m, 
m^ ' w{c) if op = dm. 
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Lossy systems. In lossy channel systems, losing messages is formalized via the sub- 
word ordering, extended from M* to Conf: {q,w) C w') if q ~ and w{c) C w'(c) 
for all channels c G C. 

A (possibly lossy) step in the LCS is made of a perfect step followed by arbitrary 

losses:^ formally, we write o p whenever there is a perfect step o -^perf o' such that 

def 

p C o'. This gives rise to a labeled transition system LTSi = {Conf, A, ^), that can be 

def 

given a WSTS structure by the following relation: O^p oCpH A(a) = A(p). 
Both C and ^ turns Conf into a WQO. 

Remark 3.1. From now on we assume for the sake of simplicity that (Con/, C) is the 
WQO on which is defined. All results could be strengthened using {Conf,<). □ 

Following standard notations for transition systems (Co«/,A,^) labeled over some 
A, we write Pre[b]{<3) ^= {p e Conf | p i o} for the set of predecessors via 8 of a 

def 

in L. Then Pre{o) = [J^^^Pre[d]{o) has all 1-step predecessors of a, and Pre{V) = 
[j^^y Pre{a) has all 1-step predecessors of states in V. The dual Pre of Pre is defined 

by Pre{V) = Pre{V). Thus o G Pre{V) iff all 1-step successors of O are in V (this 
includes the case where a is a deadlock state). 

Seen as unary operators on 2'^""-^, both Pre and Pre are monotonic and even contin- 
uous for all transition systems 1351 . For LCS's, the following lemma states that Pre is 
compatible with the WQO on states, which will play a crucial role later when we want 
to show that some term is guarded. 

Lemma 3.2. Let V C Conf in the transition system LTS^ associated with a LCS L. 
Then Pre{V) = Pre{Cj{V)) andPre{V) = Pre{Ki^{V)). 

Proof V C C|(y) implies Pre{V) C Pre{C-^{V)). Now o G Pre{C-^{V)) implies that 
o — > p □ p' for some p' G V . But then a — > p' by definition of lossy steps and a G PreiV). 
The second equality is dual. □ 

An effective region algebra for LCS's. We are now ready to apply the framework of 
section|3to regular model checking of lossy channel systems. Assume L = (Q, C, M , A) 
is a given LCS. A region R ^ is, any "regular" subset of Con/. More formally, it is 
any set R C Conf that can be written under the form 

R^Y.i^i,R],...,Rf^) 

where / is a finite index set, the qi's are locations from Q, and each Rj is a regular 
language on alphabet M . The notation has obvious interpretation, with summation de- 
noting set union (the empty sum is denoted 0). We are not more precise on how such 

^ Note that, with this definition, message losses only occur after steps (thus, not in the initial 
configuration). The usual definition allows arbitrary losses before and after a step. There is no 
essential semantical difference between these two ways of grouping atomic events into single 
"steps". The usual definition is technically smoother when LCS's are viewed as nondeterminis- 
tic systems, but becomes unnatural in situations where several adversarial processes compete, 
e.g., in probabilistic LCS's (51 or other game-theoretical settings we explore in sections|4|and|5| 
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regions could be effectively represented (see 0), but they could be handled as, e.g., 
regular expressions orFSAs over the extended alphabet M UQU {'('/)','/}■ 

The set O of operators includes union, intersection, C-\, Q, K^,Ki: these are mono- 
tonic, regularity-preserving, and effective operators as explained in our example at the 
end of section |2] Operators specific to regular model-checking are Pre and Pre. That 
they are regularity-preserving and effective is better seen by first looking at the special 
case of perfect steps: 

fo otherwise. 



' {p,R]„ . . . ,R'p\R\,m-\R'+\ . . . ,Rf^ ) if q = r, 
otherwise. 

CI 



Pre,,^mqi,Rj,. . . ) = ^ ^ Preperf[5]fe,7?/ , . . . ,r\ ^). 

iei ^ ;g/5gA 

where the notation "niR" (for concatenation) and "RrrT^" (for right-residuals) are as in 
sectionlJl For lossy steps we use 

Pre(/;)=Preperf(q (/?)). 

Clearly, both Preyed and Pre are effective operators on regions. 



3.2 Regular model-checking for lossy channel systems 

Surprising decidability results for lossy channel systems is what launched the study of 
this model I18I5I15I . We reformulate several of these results as a direct consequence 
of Theorem 12.41 before moving to new problems and new decidability results in the 
next sections. Note that our technique is applied here to a slightly different operational 
semantics (cf. footnote|3} but it would clearly apply as directly to the simpler semantics. 

Reachability analysis. Thanks to Lemma lOl the co-reachabiUty set can be expressed 
as a guarded term: 

Pre*{V) = ijX .V U Pre{X) = inX .V U Pre{q{X)). (6) 



Corollary 3.3. For regular V C Conf, Pre* (V ) is regular and effectively computable. 

Safety properties. More generally, safety properties can be handled. In CTL, they can 
be written V(yiRV2)- Recall that R, the Release modality, is dual to Until: a state a 
satisfies V(ViRV2) if and only if along all paths issuing from o, V2 always holds until 
maybe Vi is visited. Using Lemma I3T2I [V(yiRV2)]], the set of states where the safety 
property holds, can be defined as a guarded term: 



iy{ViRV2)i^vX.{V2n{Pre{X)UVi)) =vX.{V2n{Pre{Ki{X))UVi)). (7) 
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Corollary 3.4. For regular Vi,V2 C Conf, |V(V'iRV2)] is regular and effectively com- 
putable. 

Another formulation is based on the duahty between the "VR" and the "ElU" modalities. 

Theorem 3.5. 4251 sect. 5] If f is a temporal formula in the TL(3U,3X, A,^) frag- 
ment of CTL ( using regions for atomic propositions), then |/] is regular and effectively 
computable. 

def 

Proof. By induction on the structure of /, using pX/] = Pre(|/]), and the fact that 
regions are (effectively) closed under complementation. □ 

Beyond safety. Inevitability properties, and recurrent reachability can be stated in L^. 
With temporal logic notation, this yields 

[VOV] =^iX.{V\J{Pre{Conf)C^^^e{X))), 
l3U()V\^vX.{^iY.{{V\JPre{Y))f^Pre{X))). 

These two terms are not guarded and Lemma W2\ is of no help here. However this 
is not surprising: firstly, whether a |= BDOV is undecidable |4l; secondly, and while 
a 1= fVOV]] is decidable, the set |VOV] cannot be computed effectively 1271 . 

3.3 Generalized lossy channel systems 

Transition rules in LCS's do not carry guards, aka preconditions, beyond the implicit 
condition that a reading action elm is only enabled when w{c) starts with m. This bare- 
bone definition is for simplification purpose, but actual protocols sometimes use guards 
that probe the contents of the channel before taking this or that transition. The simplest 

such guards are emptiness tests, like "p > ^" that only allows a transition from p to 

q if w{c) is empty. 

We now introduce LCS's with regular guards (GLCS's), an extension of the bare- 
bone model where any regular set of channel contents can be used to guard a transition 
rule. This generalizes emptiness tests, occurrence tests (as in 1291 ). etc., and allows 
expressing priority between rules since whether given rules are enabled is a regular 
condition. 

Formally, we assume rules in A now have the form p — ^ q with p,q,op as before, 
and where G, the guard, can be any regular region. The operational semantics is a ex- 
pected: when 5 = p q, there is a perfect step o -^perf 9 iff O £ G and is obtained 
from a by the rule p q (without any guard). Then, general steps o p are obtained 
from perfect steps a iperf o' by message losses p C o'. 

Verification of GLCS's. For GLCS's, Pre and Post are effective monotonic regularity- 
preserving operators as in the LCS case since 

Pre[p ^q]{R)=Gn Pre[p % q]{R), 
Post[p ^q]{R)= Post[p %q]{GnR). 
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Observe that Lemma lT!2l holds for GLCS's as well, so that Equations ^ and Q entail 
a generahzed version of Theorem l3.5l 

Theorem 3.6. Forall GLCS's L and formulae f in the TL{3\J,3X, A, ^) fragment, [/] 
is regular and effectively computable. 



4 Solving games on lossy channel systems 

In this section, we consider turn-based games on GLCS's where two players, A and 
B, alternate their moves. Games play a growing role in verification where they address 
situations in which different agents have different, competing goals. We assume a basic 
understanding of the associated concepts; arena, play, strategy, etc. (otherwise see L20il ). 

Games on well-structured systems have already been investigated in 121311321 . The 
positive results in these three papers rely on ad-hoc finite convergence lemmas that are 
special cases of our Theorem l2.4l 



4.1 Symmetric LCS-games with controllable message losses 

We start with the simplest kind of games on a GLCS: A and B play in turn, choosing the 
next configuration, i.e., picking what rule 8 G A is fired, and what messages are lost. 

Formally, a symmetric LCS-game is a GLCS L = (2a,Gb,C, M,A) where the set 
of locations 2 = Ga U is partitioned into two sets, one for each player, and where 

the rules ensure strict alternation: for all p q & A, p £ Qa lif q € Qb- Below, we 
shortly write Confj^ for 2a x M* , the regular region where it is A's turn to play. Confg 
is defined similarly. Strict alternation means that the arena, LTS^ , is a bipartite graph 
partitioned in Conf^ and Cotifg. 

Reachability games. Reachability and invariant are among the simplest objectives for 
games. In a reachability game, A tries to reach a state in some set V, no matter how 
B behaves. This goal is denoted ()V . It is known that such games are determined and 
that memory less strategies are sufficient 1201 . The set of winning configurations for A 
is denoted with ((A)) <0V, and can be defined in L^; 



((A))OV =A/X. yu [Co«/^nPre(X)] U [ConfBr\Pre{X)\ 



(8) 



The first occurrence of X can be made upward-guarded by replacing Pre{X) with 
Pre{C'^{X)) (Lemma l3.2> . For the second occurrence, we can unfold the term, relying 
on the fixpoint equation \^X.v;){X)\ = |^X.(p((p(X))]. This will replace Confg\^Pre{X) 
in (|8} with 

Confs C^P^e{v\J [Conf^ n Pre{X)] U [Confs nPfe{X)]y {+) 
Now, the strict alternation between Conf^ and Confg lets us simplify (Q into 



ConfBr\Pre[VyjPre{X)y (9) 
Hence (|8} can be rewritten into 

iA))()V = ^iX .\v \J[ConfAC^Pre{C1^{X))\ U [Co«/BnP^e(VUPre(q(X)))] 
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Invariant games. In invariant games, A's goal is to never leave some set V C Conf, no 
matter how B behaves. Invariant games are dual to reachabiUty games, and the set of 
winning configurations ((A)) DV is exactly ((B)) 0^- 



Repeated reachability games. Here A's goal is to visit V infinitely many times, no 
matter how B behaves. The set of winning configurations is given by the following 
term: 



DOV =VY.{{A))0 yn((pA(i')U(pB(F)) 



(10) 



where 



(PA (Y) = Confj, n Pre (q {Pre{K^ {¥)))), 
i?BiY)'^Confj,nPreiKi{Y)). 

and where we reuse (jsQi for ((A)) 0[- • •]• 



Persistence games. In a persistence game, A aims at remaining inside V from some 
moment on, no matter how B behaves. Dually, this can be seen as a repeated reachability 
game forB. Note that ((A))OnV ^ ((A))0(((A))ny). 

Theorem 4.1 (Decidability of symmetric LCS-games). For symmetric LCS-games 
L and regular regions y , the four sets ((A))OV, ((A))ny, ((A))OnV, and ((A))nOV, are 
{effective) regions. Hence reachability, invariant, repeated reachability, and persistence 
symmetric games are decidable on GLCS's. 

Proof (Sketch). The winning sets can be defined by guarded L^, terms. 

Remark 4.2. There is no contradiction between the undecidability of BDOV and the 
decidability of ((A))nOV. In the latter case, B does not cooperate with A, making the 
goal harder to reach for A (and the property easier to decide for us). □ 



4.2 Asymmetric LCS-games with 1-sided controlled loss of messages 

Here we adopt the setting considered in |2l. It varies from the symmetric setting of 
section lTTl in that only player B can lose messages (and can control what is lost), while 
player A can only make perfect steps. Note that this generalizes games where A plays 
moves in the channel system, and B is an adversarial environment responsible for mes- 
sage losses. We use the same syntax as for symmetric LCS-games. 

Reachability and invariant games. Let us first consider games where one player tries 
to reach a regular region V (goal ()V), no matter how the other player behaves. 
The configurations where B can win a reachability game are given by; 

((B))OV =A'^.VU (Co«/BnPre(X)) U (Co«/^ n7Veperf(X)) 

= ^iX.V\J{ConfBC^Pre{C'^{X))^ U (Con/^ nP^^;perf(V UPre(C|(X)))) 
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where guardedness is obtained via Lemma ll!2l and unfolding. 

When we consider a reachability game for A, the situation is not so clear: 



Neither Lemma IT2I nor unfolding techniques can turn this into a guarded term. This 
should be expected since the set {{AJ)(}V cannot be computed effectively 0. 

Theorem 4.3 (Decidability of asymmetric LCS-games For asymmetric LCS- 
games L and regular regions V, the sets (lB))(}V and ((A)) DV are (effective) regions. 
Hence reachability games for B, and invariant games for A are decidable on GLCS's. 

Proof (Sketch). Invariant games are dual to reachability games, and the winning set 
((B)) 0^ is defined by a guarded term. 

5 Channel systems with probabiUstic losses 

LCS's where messages losses follow probabiUstic rules have been investigated as a less 
pessimistic model of protocols with unreliable channels (see 1341 1191 and the references 
therein). 

In (21, we present decidability results for LCS's seen as combining nondeterministic 
choice of transition rules with probabilistic message losses. The semantics is in term of 
Markovian decision processes, or 1 ^-player games, whose solutions can be defined in 
L/j. Indeed, we found the inspiration for and our Theorem 12 .41 while extending our 
results in the MDP approach to richer sets of regions. 

In this section, rather than rephrasing our results on 1 j-player games on LCS's, we 
show how to deal with 2 j-player games 1161 on LCS's, i.e., games opposing players A 
and B (as in section^} but where message losses are probabilistic. 

Formally, a symmetric probabilistic LCS-game L — {Qa ,Qb,C,M,A) is exactly hke 
a symmetric LCS-game but with an altered semantics: in state o e Conf^, player A 
selects a fireable rule 5 G A (B picks the rule if a G Confg) and the system moves to a 

successor state p where a ^perf (j' 3 P and p is chosen probabilistically in C|({o'}). 
The definition of the probability distribution P(o, 8, p) can be found in I34I9I where it is 

called the local-fault model. It satisfies P(a, 5, p) > iff p C o' (assuming a — >perf o')- 
Additionally it guarantees afinite-attractor property: the set of states where all channels 
are empty will be visited infinitely many times almost surely 111 181 . 

Reachability games. Assume A tries to reach region V (goal OV) with probability 1 
no matter how B behaves. The set ((A)) [OV]=i of states in which A has an almost-sure 
winning strategy is given by 





yu [Confj, n Preperf(Ct {X)nK^ [Y)) 
U \ConfB n P^eperf(CT {^)r\K^ 




(11) 
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Remark 5.1. Justifying il 1> is outside the scope of this paper, but we can try to give 
an intuition of why it works: the inner fixpoint "fjX.V U • • • " define the largest set from 
which A has a strategy to reach V no matter what B does ;/ the message losses are 
favorable. However, whatever messages are lost, A's strategy also guarantees that the 
system will remain in Y, from which it will be possible to retry the strategy for (}V 
as many times as necessary. This will eventually succeed almost surely thanks to the 
finite-attractor property. □ 

Invariant games. Assume now A tries to stay in V almost surely (goal [□y]=i), no 
matter how B behaves. Then A must ensure DV surely and we are considering a 2- 
player game where message losses are adversarial and could as well be controlled by 
B. This leads to 

iA))[avU =vX.Vn ([Conf^nPrep^rfiKiiX))] U [ConfsnPfe{X)]) 

; _ X (12) 

= vX.Vn i^[Conf^nPrep,rf{Ki{X))] U [ConfsnPre{K^{X))]y 

In il2\ . the subterm Prgperf (^Tj {X)) accounts for states in which A can choose a perfect 
move that will end in /T^ (X), i.e., that can be followed by any adversarial message losses 
and still remain in X. The subterm Pre{X) accounts for states in which B cannot avoid 
going to X, even with message losses under his control. Pre{X) can be rewritten into 
Pre{K\^ {X)) thanks to Lemma l3T2l so that we end up with a guarded term. 

Goals to be satisfied with positive probability. In 2 ^ -player games, it may happen that 
a given goal can only be attained with some non-zero probability 1 16,. Observe that, 
since the games we consider are determined 1261 . the goals [OV]>o or [□y]>o are the 
opposite of goals asking for probability 1 : 

iA))[OVU = iB))[nv]=,, ((A))pv]>o=((B))[Oy] = i. 

Theorem 5.2 (Decidability of qualitative symmetric probabilistic LCS-games). For 

symmetric probabilistic LCS-games L and regular regions V, the sets ((A)) [<}V]=i, 
((A)) [OV] >o, ((A))[ny]=i, and ((A))[nV]>o are (effective) regions. Hence qualitative 
reachability and invariant games are decidable on GLCS's. 

Proof (Sketch). These sets can be defined by guarded terms. □ 

6 Conclusion 

We defined a notion of upward/downward-guarded fixpoint expressions that define sub- 
sets of a well-quasi-ordered set. For these guarded fixpoint expressions, a finite conver- 
gence theorem is proved, that shows how the fixpoints can be evaluated with a finite 
number of operations. This has a number of applications, in particular in the symbolic 
verification of well-structured systems, our original motivation. We illustrate this in the 
second part of the paper, with lossy channel systems as a target. For these systems, we 
derive in an easy and uniform way, a number of decidability theorems that extend or 
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generalize the main existing results in the verification of temporal properties or game- 
theoretical properties. 

These techniques can be applied to other well-structured systems, with a region al- 
gebra built on, e.g., upward-closed sets. Admittedly, many examples of well-structured 
systems do not enjoy closure properties as nice as our Lemma l3T2l for LCS's, which 
will make it more difficult to express interesting properties in the guarded fragment of 
L^. But this can still be done, as witnessed by 13 1.32 J where the authors introduced a 
concept of Z?-games and BZ?-games that captures some essential closure assumptions 
allowing the kind of rewritings and unfoldings we have justified with Lemma l3T2l 
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